wallet 1.0 released

Russ Allbery rra at stanford.edu
Wed Mar 27 23:48:40 EDT 2013

I'm pleased to announce release 1.0 of wallet.

The wallet is a system for managing secure data, authorization rules to
retrieve or change that data, and audit rules for documenting actions
taken on that data.  Objects of various types may be stored in the wallet
or generated on request and retrieved by authorized users.  The wallet
tracks ACLs, metadata, and trace information.  It is built on top of the
remctl protocol and uses Kerberos GSS-API authentication.  One of the
object types it supports is Kerberos keytabs, making it suitable as a
user-accessible front-end to Kerberos kadmind with richer ACL and metadata

Changes from previous release:

    Owners of wallet objects are now allowed to destroy them.  In previous
    versions, a special destroy ACL had to be set and the owner ACL wasn't
    used for destroy actions, but operational experience at Stanford has
    shown that letting owners destroy their own objects is a better model.

    wallet-admin has a new sub-command, upgrade, which upgrades the wallet
    database to the latest schema version.  This command should be run
    when deploying any new version of the wallet server.

    A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
    supported.  This ACL type grants access if the LDAP entry
    corresponding to the principal contains the attribute name and value
    specified in the ACL.  The Net::LDAP and Authen::SASL Perl modules are
    required to use this ACL type.  New configuration settings are
    required as well; see Wallet::Config for more information.  To enable
    this ACL type for an existing wallet database, use wallet-admin to
    register the new verifier.

    A new object type, wa-keyring (Wallet::Object::WAKeyring), is now
    supported.  This stores a WebAuth keyring and handles both key
    rotation and garbage collection of old keys on retrieval of the
    keyring.  The WebAuth Perl module is required to use this object
    type.  To enable this object type for an existing wallet database, use
    wallet-admin to register the new object.

    Add a new acl check command which, given an ACL ID, prints yes if that
    ACL already exists and no otherwise.  This is parallel to the check
    command for objects.

    Add a comment field to objects and corresponding commands to
    wallet-backend and wallet to set and retrieve it.  The comment field
    can only be set by the owner or wallet administrators but can be seen
    by anyone on the show ACL.

    The wallet server backend now uses DBIx::Class for the database layer,
    which means that DBIx::Class and SQL::Translator and all of their
    dependencies now have to be installed for the server to work.  If the
    database in use is SQLite 3, DateTime::Format::SQLite should also be

    Add docs/objects-and-schemes, which provides a brief summary of the
    current supported object types and ACL schemes.

    The Stanford wallet object and ACL naming policy is now available in
    code form as the Wallet::Policy::Stanford module, which is installed
    as part of the server.  As-is, it is only useful for sites that want
    to adopt an identical naming policy (and will still require overriding
    some of the internal data, like group names), but it may provide a
    useful code example for others wanting to do something similar.

    Update to rra-c-util 4.8:

    * Look for krb5-config in /usr/kerberos/bin after the user's PATH.
    * Kerberos library probing fixes without transitive shared libraries.
    * Fix Autoconf warnings when probing for AIX's bundled Kerberos.
    * Avoid using krb5-config if --with-{krb5,gssapi}-{include,lib} given.
    * Correctly remove -I/usr/include from Kerberos and GSS-API flags.
    * Build on systems where krb5/krb5.h exists but krb5.h does not.
    * Pass --deps to krb5-config unless --enable-reduced-depends was used.
    * Do not use krb5-config results unless gssapi is supported.
    * Fix probing for Heimdal's libroken to work with older versions.
    * Update warning flags for GCC 4.6.1.
    * Update utility library and test suite for newer GCC warnings.
    * Fix broken GCC attribute markers causing compilation problems.
    * Suppress warnings on compilers that support gcc's __attribute__.
    * Add notices to all files copied over from rra-c-util.
    * Fix warnings when reporting memory allocation failure in messages.c.
    * Fix message utility library compiler warnings on 64-bit systems.
    * Include strings.h for additional POSIX functions where found.
    * Use an atexit handler to clean up after Kerberos tests.
    * Kerberos test configuration now goes in tests/config.
    * The principal of the test keytab is determined automatically.
    * Simplify the test suite calls for Kerberos and remctl tests.
    * Check for a missing ssize_t.
    * Improve the xstrndup utility function.
    * Checked asprintf variants are now void functions and cannot fail.
    * Fix use of long long in portable/mkstemp.c.
    * Fix test suite portability to Solaris.
    * Substantial improvements to the POD syntax and spelling checks.

    Update to C TAP Harness 1.12:

    * Fix compliation of runtests with more aggressive warnings.
    * Add a more complete usage message and a -h command-line flag.
    * Flush stderr before printing output from tests.
    * Better handle running shell tests without BUILD and SOURCE set.
    * Fix runtests to honor -s even if BUILD and -b aren't given.
    * runtests now frees all allocated resources on exit.
    * Only use feature-test macros when requested or built with gcc -ansi.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell libtap.sh library.
    * Suppress warnings on compilers that support gcc's __attribute__.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list